samba - Feb 2024 - Samba, Kerberos, Autofs: Shares get disconnected

On Wed, 28 Feb 2024 11:56:13 +0100
"Pluess, Tobias via samba" <samba at lists.samba.org> wrote:
> Hi Rowland,
> 
> I tried that. As follows:
> 
> 
> 
> [root at machinename mnt]# kinit -k MACHINENAME$
Fairly sure I have said this already, but if I haven't, I will say it
now:

Do not use kinit to get the machines kerberos ticket, winbind has
already acquired one for you.
> [root at machinename mnt]# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: MACHINENAME$@CAMPUS
> 
> Valid starting       Expires              Service principal
> 02/28/2024 11:50:55  02/28/2024 21:50:55  krbtgt/CAMPUS at CAMPUS
> renew until 02/29/2024 11:50:55
> [root at machinename mnt]# mount -t cifs //server/share /mnt/test
> -osec=krb5,multiuser,username=MACHINENAME$
> mount error(13): Permission denied
> Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)
> 
> 
> I don't understand this
I do.

Lets look at this line from your klist output:

Ticket cache: FILE:/tmp/krb5cc_0

The number(s) after the '_' is the Unix ID of the owner.

Now we all know who '0' is (at least I hope we do) ;-)

I do not have a kerberos ticket for the machine in /tmp , but the
share is still mounted.

Rowland

Hi Rowland

yes sure I know who user '0' is ;-)
so where should the ticket be then?
I just rebooted the PC and logged in via SSH as root. There is no ticket
for the machine :-(

even though, the Active Directory join seems to be OK, as "net ads
testjoin" says so.

I am  still a bit lost on how I should proceed.
To have this all working more or less, I just mounted the shares with the
credentials file, this is fine as it works reliably but has the drawback
that the access permissions are not per-user.
But maybe I will stick to that anyways as it seems I am not able to get the
other option to work, obviously something is missing but I have absolutely
no idea which part I missed.



On Wed, Feb 28, 2024 at 12:19?PM Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Wed, 28 Feb 2024 11:56:13 +0100
> "Pluess, Tobias via samba" <samba at lists.samba.org>
wrote:
>
> > Hi Rowland,
> >
> > I tried that. As follows:
> >
> >
> >
> > [root at machinename mnt]# kinit -k MACHINENAME$
>
> Fairly sure I have said this already, but if I haven't, I will say it
> now:
>
> Do not use kinit to get the machines kerberos ticket, winbind has
> already acquired one for you.
>
> > [root at machinename mnt]# klist
> > Ticket cache: FILE:/tmp/krb5cc_0
> > Default principal: MACHINENAME$@CAMPUS
> >
> > Valid starting       Expires              Service principal
> > 02/28/2024 11:50:55  02/28/2024 21:50:55  krbtgt/CAMPUS at CAMPUS
> > renew until 02/29/2024 11:50:55
> > [root at machinename mnt]# mount -t cifs //server/share /mnt/test
> > -osec=krb5,multiuser,username=MACHINENAME$
> > mount error(13): Permission denied
> > Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)
> >
> >
> > I don't understand this
>
> I do.
>
> Lets look at this line from your klist output:
>
> Ticket cache: FILE:/tmp/krb5cc_0
>
> The number(s) after the '_' is the Unix ID of the owner.
>
> Now we all know who '0' is (at least I hope we do) ;-)
>
> I do not have a kerberos ticket for the machine in /tmp , but the
> share is still mounted.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>